Creating a keystore

This topic describes how to create a JKS keystore.

The procedure uses the keytool utility to create a simple JKS keystore suitable for use with JSSE. Details of the keystore creation will vary depending on such factors as the tool you are using and the Certificate Authority who will sign the certificate.

This procedure assumes that you have added the keytool path to your PATH environment variable. This allows you to run the utility from anywhere on your machine. The procedure also assumes that you have created a directory (C:\MyKeys in this example) to create and store the keystore. Afterwards, you can copy it to the Jetty etc directory. (Alternatively, you can create the keystore in the Jetty etc directory.)

While creating the certificate, you will be asked to enter the Common Name for the certificate with this prompt: 
What is your first and last name?

The Common Name is typically composed of Host + Domain Name. The Common Name must be the same as the Web address you will be accessing when connecting to a secure site. For the Endeca Server certificate, you can use the name of the server, including its full domain name. This procedure will use app23.example.com as the Common Name. After enabling SSL, you can specify the same Common Name with the --host option of the endeca-cmd commands.

To create a keystore:

  1. From a command prompt, navigate to the C:\MyKeys directory.
  2. Generate a private key and a self-signed public key, as in this sample command: 
    keytool -genkey -alias server -validity 365 -keyalg RSA -keystore keystore
    The example uses the RSA algorithm and the keys will be stored in the keystore file. Note that you can use another name for your keystore file other than our keystore example).
  3. Answer the keytool DN prompts: 
    Enter keystore password: strongKeystorePassword
Re-enter new password: strongKeystorePassword
Or
What is your first and last name?
  [Unknown]:  app23.example.com
What is the name of your organizational unit?
  [Unknown]:  Apps Department
What is the name of your organization?
  [Unknown]:  example.com
What is the name of your City or Locality?
  [Unknown]:  Cambridge
What is the name of your State or Province?
  [Unknown]:  Massachusetts
What is the two-letter country code for this unit?
  [Unknown]:  US
Is CN=app23.example.com, OU=Apps Department, O=example.com, L=Cambridge, 
ST=Massachusetts, C=US correct?
  [no]:  yes

Enter key password for <server>
        (RETURN if same as keystore password): <RETURN>
    When you answer the last prompt, keytool writes the keystore file in the current directory. The keystore contains a private key and a self-signed public key.
    Note that although you have the minimal requirements to run an SSL connection, the certificate you have generated will not be trusted by most clients. Therefore, the next step is to obtain a trusted certificate by having the public key signed by a known Certificate Authority (CA).
  4. Generate a Certificate Signing Request (CSR) with the -certreq option: 
    keytool -certreq -alias server -keyalg RSA -file endeca.csr -keystore keystore
    When asked for the keystore password, enter the password you specified at Step 3.
  5. Send the CSR to a Certificate Authority (CA) for signing.
    The CA will send you a certificate file that bears the CA's signature.
  6. Import the signed certificate into the keystore: 
    keytool -import -file rootCA.pem -keystore keystore -trustcacerts
    As part of the keytool dialog, you will be asked for the password you specified at Step 3 and also if you trust the certificate: 
    Enter keystore password: strongKeystorePassword
...

Trust this certificate? [no]:  yes
Certificate was added to keystore
  7. If you created the keystore in a separate working directory, you can copy the keystore to the Jetty etc directory.

The next two steps are to obfuscate the keystore password and activate the SSL connector in the jetty-ssl.xml file.